``net.listen()`` configuration call.Most notable examples of such systems are CentOS 7 and macOS... warning:: On machines with multiple IP addresses avoid listening on wildcards ``0.0.0.0`` or ``::``. Knot Resolver could answer from different IP addresses if the network address ranges overlap, and clients would probably refuse such a response.**Network configuration using systemd**

.. warning:: You MUST NOT repeat the localhost defaults in the following drop-in overrides, otherwise the socket will fail to start with "Address in use" error. To view the entire socket configuration, including any drop-ins, use systemctl cat.To configure kresd to listen on a **public interface** using the original DNS protocol,

.. note:: Using IPv6 to bind to IPv4 interfaces is currently not compatible with IPv4 syntax in ``view:addr()`` when using the ``view`` module. For possible workarounds, see https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445

It can also be useful if you want to use the Knot DNS authoritative serverwith the `dnsproxy module`_ to have both resolver and authoritative serverrunning on the same machine. This is not recommended configuration but it canbe done like this:

When configuring sockets for :ref:`mod-http-doh`, make sure you have``kresd-doh.socket`` installed, it might be part of a separate``knot-resolver-module-http`` package... warning:: Make sure you read section :ref:`mod-http-doh` before exposing the DoH protocol to outside.

> net.bufsize() 4096.. function:: net.tcp_pipeline([len]) Get/set per-client TCP pipeline limit, i.e. the number of outstanding queries that a single client connection can make in parallel. Default is 100. .. code-block:: lua > net.tcp_pipeline() 100 > net.tcp_pipeline(50) 50 .. warning:: Please note that too large limit may have negative impact on performance and can lead to increased number of SERVFAIL answers... function:: net.outgoing_v4([string address]) Get/set the IPv4 address used to perform queries. There is also ``net.outgoing_v6`` for IPv6. The default is ``nil``, which lets the OS choose any address... _tls-server-config:TLS server configuration^^^^^^^^^^^^^^^^^^^^^^^^

DNS-over-TLS server (:rfc:`7858`) is enabled by default on loopback interface port 853.Information how to configure listening on specific IP addresses is in previous sections:ref:`network-configuration`.

By default a self-signed certificate is generated. For serious deploymentsit is strongly recommended to configure your own TLS certificates signedby a trusted CA. This is done using function :c:func:`net.tls()`.

.. function:: net.tls([cert_path], [key_path]) Get/set path to a server TLS certificate and private key for DNS/TLS. Example output: .. code-block:: lua > net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem") > net.tls() -- print configured paths ("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem").. function:: net.tls_padding([true | false]) Get/set EDNS(0) padding of answers to queries that arrive over TLS transport. If set to `true` (the default), it will use a sensible default padding scheme, as implemented by libknot if available at compile time. If set to a numeric value >= 2 it will pad the answers to nearest *padding* boundary, e.g. if set to `64`, the answer will have size of a multiple of 64 (64, 128, 192, ...). If set to `false` (or a number < 2), it will disable padding entirely... function:: net.tls_sticket_secret([string with pre-shared secret]) Set secret for TLS session resumption via tickets, by :rfc:`5077`. The server-side key is rotated roughly once per hour. By default or if called without secret, the key is random. That is good for long-term forward secrecy, but multiple kresd instances won't be able to resume each other's sessions. If you provide the same secret to multiple instances, they will be able to resume each other's sessions *without* any further communication between them. This synchronization works only among instances having the same endianess and time_t structure and size (`sizeof(time_t)`). **For good security** the secret must have enough entropy to be hard to guess, and it should still be occasionally rotated manually and securely forgotten, to reduce the scope of privacy leak in case the `secret leaks eventually <https://en.wikipedia.org/wiki/Forward_secrecy>`_. .. warning:: **Setting the secret is probably too risky with TLS <= 1.2**. GnuTLS stable release supports TLS 1.3 since 3.6.3 (summer 2018). Therefore setting the secrets should be considered experimental for now and might not be available on your system... function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret]) The same as :func:`net.tls_sticket_secret`, except the secret is read from a (binary) file.